Introduction

This article will show you how to implement custom authentication. Only user with ADMIN role can call the Login() method.

Note: This article only focuses on checking role of user. You can modify this code for checking username, password and role of user by reading from database.

SERVICE

Create Custom Principal

It is to supply your custom IPrincipal implementation to WCF. This gives you the chance to implicitly run code after the authentication stage of each request. For this, you have to create your own custom principal and return it to the WCF plumbing. The custom principal will then be available from Thread.Cur­rentPrincipal to the service code. Custom principals allow full customization of role-based security and expose specialized security logic for the service developer to use.

Writing a custom principal is straightforward. Simply implement the IPrincipal interface and add your own custom functionality. To integrate the principal with WCF, you have to set the Principal­Per­missionMode attribute in the ServiceAuthorization element to "custom" and provide an authorization policy that is responsible for creating the principal and giving it back to WCF.

An IPrincipal-derived class must implement a single method called IsInRole where you can pass in a role name and get a Boolean response. In addition, the principal has a reference to the identity class it wraps.

Create Custom Authorization Policy

An authorization policy is simply a class that implements the System.IdentityModel.Policy.IAuthorizationPolicy interface. Implementations of this interface must employ a method called Evaluate, which gets called on every request. Here you can reach into the WCF service security context and set the custom principal. The code below shows a custom principal as well as the authorization policy and its corresponding configuration entries.

The important part of AuthorizationPolicy:IAuthorizationPolicy is the Evaluate() method which, using the context of the claim evaluation, trys to get the PrimaryIdentity. This property represents the identity discovered by WCF during user credentials validation. The method then converts this to an CustomPrincipal and attaches it to the current context thus making the principal available on the current running thread.

Comments and Discussions

Congratulation for your article.I've try to execute the project but it doesn't work.So I've create a new project for implementing the custom authorization.The problem is that it work only as windows authentication. I only receive an IIdentity that references an WindowsIdentity object.When I try to get the name I obtain my Windows account name.CustomValidator instead is never called.Everything is deployed on IIS Express from visual studio 2012 environment.How can I resolve this problem? I think that this article with a review could be a great milestone.

This is a great article.thanks for that.My question is in which method i can log those requests which access denied?and another question is: what's the risks of using a self certificate ?thank u very much

Long time I was busy and forgot to reply some messages from you.I think that if you want to check permission inside of Login method, you can get role from current principal and throw security exception if it's not "Admin" role.

For your first question: I think we can use something like Session so you only need 1 database call!For your second question: Security in .NET, there are 2 interfaces IPrincipal & IIdentity so we can do that. Please try its and give us your sample

I've followed your example, understand most of it now, but getting an error though when testing. "The role manager feature has not been enabled". I added this to my web config file but then I get a long wait and and error, Unable to connect to SQL database. There is no SQL db call in the method I'm trying to run, just a response, "Welcome to MY WCF Service", so I believe I misunderstood and missed something out. I think my service is trying to check the roles on some SQL connection as opposed to checking in the Custom Principal. Any thoughts?